The key to zero trust security? Changing human behavior
People are typically considered the weakest link in the cybersecurity chain because they fall prey to phishing schemes, giving malicious actors an entryway into the corporate network. But is that fair? Some blame security teams for making good cyber hygiene too daunting and complex. Whatever position you take, everyone agrees that, given how pervasive cyberattacks are, organizations need to improve their approach.
When users don't know how to be appropriately circumspect in computing situations, the organization leaves itself open to attack. The right approach puts users in a position to protect themselves and the organization by having the right tools and techniques.
"Quite often, it's not people who are to blame but security teams," says Lance Spitzner, director of research and community at the SANS Institute, who has spent 10 years developing courses on how to manage human risk. "We've made security complex and intimidating, and we talk about security in highly technical terms, so people don't have the tools to do it."
Passwords are a classic example, Spitzner says. People are taught "really complex, really hard rules" about the need to use uppercase letters and symbols and to make them long. Instead of blaming people for doing something wrong, Spitzner says security professionals need to focus on key behaviors and teaching people how to analyze links in emails, for example.
"We have focused so much on using technology to secure technology, but we've done so little to make security simple that we're making it easy for bad guys to target people,'' he says.
Zero trust is an approach to identity and access management that assumes no user or software is trusted by default and therefore, everything—users, devices, applications—must be authenticated. While some organizations are adopting zero trust principles, experts say they need to start focusing more on the people aspect.
"The zero trust mindset shift brings with it a set of design principles that guide security architecture development and build on existing security investments and processes,'' according to a Deloitte report. "To enforce access control, companies must have situational awareness of their data and assets; companies that lag on basic cyber hygiene principles and practices may be challenged to realize the full benefits of zero trust."
The need for security standards
This may sound straightforward, but zero trust means different things to different people, so standard goals need to be set, says John McDermott, who manages worldwide cybersecurity education at Hewlett Packard Enterprise.
If you ask an IT person, they will likely say zero trust means building a firewall or incorporating AI, he says. "All you're doing is putting blocks in the way to filter out some of the bad guys. Zero trust to me is a state of mind. You have to change people's mindsets and behaviors."
Large organizations may have as many as 50 people in their security organization, but typically, their mandate is to bring in technology to keep the network secure, says Spitzner. "Out of those 50, how many are focused on securing the human element? Quite often … it may be half of one person or, if you're lucky, one person. The other 49 are focused on tech, and then CISOs are wondering why people are hacked."
Spitzner's approach is to work with security personnel on making a fundamental shift. "Before we blame people—and they may be at fault—maybe we should take a look at ourselves."
Zero trust for humans
A good way to approach zero trust is to bake it in at the outset with a mantra that says everything is suspicious. That's why McDermott argues for education on "creating human firewalls."
After all, he argues, "individuals have become the first and last line of defense." As such, for instance, they need to know if they click on something suspicious, they need to alert the cybersecurity team.
But when a zero trust policy is in place, IT will supply users with apps built with security in mind, McDermott says. Then, organizations can focus on the human element. This includes "good security awareness training, but not just five-minute videos, which are terrific because they're easily consumed—but easily forgotten,'' he says. "You have to internalize something, and if you do so, it becomes second nature."
By now, though, employees have either become daunted, skeptical, or burned out on security training.
Please read: Zero trust makes business secure by default
McDermott acknowledges that "you've got to be clever about this. When you do ethical phishing attacks, why not add an incentive for everyone who responds to a test phishing email?" This could include entering them into a drawing for a monetary reward, he says.
He also advises security teams to drop the word training and instead develop a security awareness program.
"People are afraid of repercussions,'' he notes. There should also be a policy that says employees will not be ostracized or fired if they divulge the fact that they have been phished, McDermott says. He recalls a financial institution he knew of years back that told its employees that if they got hit with phishing email three times, they would be let go.
"That's a horrible thing to do because these [phishing] emails are so clever,'' he says, and a link can be off by one character, creating the illusion that it is coming from a legitimate source.
HPE offers security awareness programs that include "lots of videos, [but] the clever part is being able to target security awareness to different groups," McDermott says. "One example would be to use behavioral, knowledge, and cultural assessments."
He says, "Too many organizations out there that do security awareness training provide you with 50 to 100-plus videos and walk away." McDermott's approach is to include assessments coupled with the organization's security risk policies and governance. "When we combine all that information, we get a solid foundation on which to build an awareness campaign for specific groups, using posters, newsletters, videos, and maybe even some simple PowerPoint slides—all of which are based on the organization's needs, knowledge, behavior, and culture."
People, process, and technology remain the secret sauce
Texas Children's Hospital, the largest pediatric hospital in the nation, has just started its journey to zero trust and plans to mature its practices in 2021 and beyond, says Teresa Tonthat, CISO. She says she still believes cyberthreat mitigation can be accomplished through a combination of people, processes, and technology.
"We have taken a risk-based approach with implementing certain capabilities that align with the zero trust framework,'' Tonthat says. "We know where our crown jewels are stored and have layered on hardened controls where appropriate. We also have multifactor authentication for all identities and privileged access management capabilities on our most critical accounts."
There are multiple ways to address people as the weakest link, she says. "As a starter, you can address this challenge by increasing awareness of your workforce by ongoing training, security highlights, and simulation activities. You can also embed enterprise cyber hygiene goals within your organization's annual performance metrics."
Healthcare organizations are particularly challenged because they have multiple groups to manage, not just employees and contractors but also volunteers, contingent workers, nurses, students, members, patients, vendors, and physicians—on top of the different devices they support.
Tonthat agrees that while some organizations may have a very strong technical security team, "they don't focus on telling the story to their stakeholders," or they talk in highly technical terms they don't understand.
"If you focus on emphasizing the business value of having a secure posture, it should resonate with the business stakeholders,'' she says. "I tell my executives time after time that, at the end of the day, our team is not only in the business of cybersecurity. We're in the business of enabling patient care for children and women."
A CISO needs to gain the attention of its board and senior executives and ensure that they view IT security as a strategy not only for continued business operations but the ability to innovate. Then they will have the support they need to mature and enhance their security capabilities, Tonthat says.
One way to change a mindset of stakeholder skepticism or security training is "to be transparent with what's going on around us,'' she advises. "Periodically share the breaches other hospital institutions are facing and how impactful it is to their operations."
CISOs also need to home in on areas of weakness in those institutions and be totally open that their own organization may also be vulnerable and what the plans are to close that gap. "I truly believe the more transparent we are about why we do what we do and what we are seeing, the stakeholder's skepticism will be lessened,'' she says.
As far as Spitzner is concerned, security needs to be made simple. "Organizations need to be as serious about managing their human risk as their technology risk,'' he says. "Most CISOs will agree people represent their greatest risk, but instead of blaming them, we have to look at ourselves and say how can we help people be more secure?"
Lessons for leaders
- Technology and experts aren't enough. Everyone has to have a secure approach.
- Incentives can get people interested in improving security.
- People who report security problems should be reassured for doing so, not punished.
You're incentivizing people to look at emails more carefully. We want to encourage people to send in suspicious emails.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.